Placing the onus on businesses to be resilient to attack - is it feasible?

The Australian Government has launched a new national strategy for protecting crowds from terror attack. Launched in August by Prime Minister Malcolm Turnbull, ‘Australia’s Strategy for Protecting Crowded Places from Terrorism’ places the onus for threat preparedness precariously on businesses, writes editor Nicholas Dynon.

At a press conference to launch the strategy, Prime Minister Turnbull said terror attacks in Paris, London, Berlin and Barcelona showed that terrorists targeted crowded places.

According to the new document, attacks on crowded places overseas, “demonstrate how basic weapons— including vehicles, knives, and firearms — can be used by terrorists to devastating effect.” Congested places such as stadiums, shopping centres, pedestrian malls, and major events, it explains, “will continue to be attractive targets for terrorists.”

The objective of the strategy is to “protect the lives of people working in, using, and visiting crowded places by making these places more resilient.” According to its authors, its success rests on “strong and sustainable partnerships across Australia between governments and the private sector to better protect crowded places.”

Little-known in New Zealand

Released by the Attorney-General’s Department in Canberra, the strategy was developed in conjunction with state and territory governments, local government, police and the private sector. Yet strangely, the document appears to have been published by the Australia New Zealand Counter Terrorism Committee (ANZCTC), a high-level body comprised of representatives from the Australian federal and state and territory governments and the New Zealand Government.

New Zealand involvement, however, appears to have been in name only, with the document clearly focused on Australia. Its official launch, which made big news in the Australian press, received scant coverage in the New Zealand media, and there has been no public mention of it out of Wellington.

Indeed, enquiries made by Line of Defence have revealed that despite the fanfare that accompanied the document’s release across the Tasman, very few security professionals in this country are aware of this ANZCTC strategy.

In a way, this is unsurprising. It’s widely acknowledged that New Zealand’s terror threat profile is significantly different to that of Australia, and that Australia’s threat level of ‘Probable’ places that country in an altogether higher risk context. Nevertheless, would such a strategy be potentially relevant or helpful in the New Zealand context?

According to eminent Wellington-based security specialist and author of Protecting People in New Zealand, Carlton Ruffell, the answer is yes. “New Zealand,” he said, “has already experienced targeted violence in places like Aramoana and Ashburton, so our profile does warrant it.”

“There is nothing wrong with piggy-backing on a bigger neighbour with more resources to address these issues and with whom we may need interoperability. However, it needs to have a commitment to resources at New Zealand's end of it. Where those New Zealand resources are is not clear in the documents.”

Auckland-based Security Consultant and deputy chair of the New Zealand chapter of ASIS International, Lincoln Potter, agrees. “I think the strategy is potentially very relevant for New Zealand and certainly presents a very good case for a wider uptake of our Protective Security Requirements (PSR),” he told Line of Defence.

“Do we want to experience a hostile attack in a crowded place before such a method of attack makes it onto our threat profile? I think not.”

The UK’s National Counter Terrorism Security Office released various Protecting crowded places from terrorism guidelines five years prior to the Australians, and it is not inconceivable that developments in the international terror threat-scape might trigger an eventual cascading of such an approach to New Zealand. So, what can we learn from the UK and Australian efforts?

Enjoying this article? Consider a subscription to the print edition of Line of Defence.

Critiquing the strategy

Although some critics have suggested that it represents more of a ‘placebo effect’ than an effective approach to resilience against terrorist attacks in public places, there has been muted criticism of the strategy among major news outlets across the Tasman. By contrast, Australian counter-terrorism policy wonks have let loose.

Isaac Kfir, head of the Counter-terrorism Policy Centre at ASPI, has referred to the Strategy’s placement of responsibility for threat preparedness and resilience on the owners of businesses operating in crowded places as worrying.

“The strategy is too thin on detail to be a useful tool,” he wrote in The Strategist. “It places a great deal of responsibility on the business community, but it doesn’t explain what help will be given to businesses…”

“Owners and operators of crowded places have the primary responsibility for protecting their sites,” states the Strategy, “including a duty of care to take steps to protect people that work, use, or visit their site from a range of foreseeable threats, including terrorism.”

Ruffell considers the strategy to be reasonable in this regard. “Simply finding out who operates a potentially targeted area would be an arduous task. The trick is letting operators know they are responsible and then where to get information. “

According to Potter, any potential barrier to the uptake of the strategy would probably fall in this area. “It could be argued that the reasonable duty of care is being stretched to include acts of terrorism and that this is not fair and the responsibility is being placed on the owners and operators.”

“Obvious complaints would include cost of implementation and many would argue that they cannot afford it and it is therefore unreasonable.”

At the same time, he sees these businesses as having a duty of care in the context of a terror attack. “People who are under threat and cannot egress an area will take or seek shelter in businesses, [so] the duty of care can change very quickly. They can have an emergency egress by way of “back of house” not available under normal operating conditions."

Public-Private engagement

The Strategy invites businesses to join ‘State and Territory Crowded Places Forums’, which are envisaged as “a vehicle for fostering local networks and partnerships to ensure all stakeholders are as well connected as possible.” It also indicates that businesses will receive government support in implementing the strategy.

As a result of the Pitt Review, which followed the 2007 flooding disaster in the UK, resilience forums were set up for each local government area in that country. Could such an engagement model be of benefit in New Zealand?

Ruffell, who suggested such a model in an article on an intelligence-led approach to the Rugby World Cup in 2011, sees benefit but also difficulties – “it needs to happen but it's hard to do.”

“These public-private intelligence clearing houses are used in the United States. I first saw one in an article on securing the Democratic National Convention in 2008. So, I'm a big fan of this approach.

“The problem in New Zealand is the paring of Police services to the absolute minimum. To do a new thing means taking resources away from another area. The churn in staff also makes establishing public-private relationships very difficult,” he said

“I was involved in such forums and they are great, but SMEs don't typically engage,” she told Line of Defence. SMEs either don't have time to participate and/or they don't see it as an immediate priority. Thus, they rely on government and regulation and do the minimum.

She told NZ Security Magazineback in 2015 that investing for preparedness tends to have to be driven from outside the firm, not inside. “It tends to have to come as a push factor, especially with SMEs.”

“If they are in a higher supply chain, such as a supplier to Marks and Spencer's, their contracts may stipulate that all suppliers must follow their policies in many regards including risk management,” she said.

In terms of SME thinking, Sullivan-Taylor notes that activities such as counter-terrorism, emergency management and recovery are seen as something of a public good. Businesses tend to have an expectation that they can outsource responsibility for these things to government and that taxes should be put towards protecting them against even the most unlikely of exigencies.

Avoiding DIY security

The Strategy provides a suite of guidance documents relating to specific threats, such as vehicular attacks, chemical attacks, improvised explosive devices and active shooters. Documents include guidelines, security audits and self-assessment tools, which are aimed at assisting owners and operators to understand and implement protective security measures.

Although the Strategy makes a half-hearted recommendation that business operators seek the advice of an appropriately skilled licensed security consultant, could the guidance documents promote a DIY approach to security by untrained civilians? And could the shifting the responsibility onto businesses result in suboptimal compliance-driven outcomes?

According to Ruffell, the Health and Safety at Work Act 2015 (HASAWA) makes it clear that in the New Zealand context, a Person Conducting a Business or Undertaking (PCBU) must think of security. “If they are smart enough to consider this threat to the space they control and to look up these documents, they would also be smart enough to realise they need expert help.”

“My main concern would be people wishing to avoid cost, copying and pasting these documents into their own policies or standard operating procedures without doing the homework necessary to make these plans a success or [without] ever drilling the procedure.

“Having seen the security efforts of a few shopping centres recently, this is a real concern. Actually protecting people – to the right level – should be the focus of the security effort, not legal compliance.”

Potter is of the opinion that the audit and self-assessment documents are easy to understand and unlikely to pose problems for business operators. But he too warns of substandard outcomes “if business owners and operators choose to do their own risk assessments and implement their own protective security measures to avoid the cost of using qualified professionals.”

Noting Sullivan-Taylor’s comments that SMEs tend to have to be pushed to act and otherwise do the minimum, we can expect the vast majority of businesses to avoid what costs they can. Ultimately, in the absence of any legislated requirement to protect their sites from terror attack, most businesses will likely feign total ignorance of such a Strategy… despite whatever fanfare may have accompanied its launch.